Force TLS 1.2 on Fetch?

A quick Q, I am fetching from a worker a site that breaks when you request using TLS 1.3. Unfortunately resolving this problem with the origin is not an option, is it possible to force fetch from a worker to use TLS 1.2?

Thanks!

I know you essentially stated that the origin is off limits, however, just by turning off TLSv1.3 in the dash & setting TLSv1.2 as the de facto http encryption proto would solve your problem. If not, I know there’s an example script that could be modified to function as you want:

async function handleRequest(request) {
  try {
    const tlsVersion = request.cf.tlsVersion;

    // Allow only TLS versions 1.2 and 1.3
    if (tlsVersion !== 'TLSv1.2' && tlsVersion !== 'TLSv1.3') {
      return new Response('Please use TLS version 1.2 or higher.', {
        status: 403,
      });
    }

    return fetch(request);
  } catch (err) {
    console.error('request.cf does not exist in the previewer, only in production');
    return new Response('Error in workers script' + err.message, {
      status: 500,
    });
  }
}

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request));
});

which can be found here:

https://developers.cloudflare.com/workers/examples/block-on-tls/

You cannot control the TLS version of sub-requests. Cloudflare will choose the highest version supported by both the client and server. If the server does not work with TLSv1.3 then it should not advertise support for it.

2 Likes

Ah, that’s a pain. Thanks though.

That’s kinda what I said in my first half of my response.

Those settings and that script is for Client → Cloudflare. OP is asking about Workers sub-requests which are Cloudflare → Server.

5 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.